The NHS is using a US surveillance tech company owned by a billionaire Trump donor to process hundreds of datasets – some of which are being shared with private sector firms.
Department of Health and Social Care data shows NHS England has created more than 300 different purposes for processing information in its “Covid-19 datastore”, which runs on a platform created by Palantir.
Palantir, which has built software to support drone strikes and immigration raids, is also tipped to win a £480m deal this year to build a single database that will eventually hold all the data in the NHS.
The 339 purposes for which the firm already processes NHS information – reported here for the first time – include patient data on mental health, cancer screening and vaccines for sexually transmitted infections.
Access to records in the datastore has been granted more than 60,000 times to users across the health service, government and private sector.
Consultancy firms Deloitte, KPMG, McKinsey and PwC were supplied with information on “integrated care systems planning support” – but NHS England declined to answer questions about which specific datasets this included.
Sam Smith, a healthcare and privacy campaigner at MedConfidential, said: “Good medical care requires people to tell their doctors things they may not even tell their loved ones. But NHS England has given Palantir the green light to suck in their information without asking the public or telling them how it is being used or protected. Once trust is lost, it’s hard to win back."
NHS England told openDemocracy that it “only shares de-identified data with organisations involved in coordinating the Covid-19 response – including the sharing of statistics with government departments – where there is a legal basis to do so for public good”.
Privacy experts have criticised this position. Dr Neil Bhatia, a GP and data protection expert, told openDemocracy: “The data derived from the Covid-19 store remains both personal data and confidential information, given the richness of the data and the relative ease by which re-identification could occur.”
The datastore also contains more than 50 kinds of “workforce analytics” data and something called “strike analysis”, which NHS England said was created “in anticipation of industrial action” but had never been used in practice. The datastore also includes information on a range of non-clinical subjects such as the impact of Brexit and the NHS Green Plan.
openDemocracy revealed last month that the NHS has ordered English hospitals to share confidential patient information with Palantir.
The firm is under growing scrutiny after its billionaire founder, Peter Thiel, claimed the NHS “makes people sick” and that health service reforms should “in theory, just rip the whole thing from the ground and start over”.
Lucas Amin
Covid-19 datastore
During the pandemic, Palantir won three contracts without tender to build and manage a ‘Covid-19 datastore’ to help the NHS coordinate its pandemic response.
The datastore would ordinarily have breached patient confidentiality rules but health secretary Matt Hancock temporarily suspended them in March 2020 as Covid cases soared.
NHS executives promised to destroy or return the data collected by Palantir “once the public health emergency situation has ended”. Patient confidentiality rules were reinstated in June 2022 as Covid restrictions were lifted, which left the datastore on uncertain legal grounds.
By this time, one of the executives who had pledged to close the datastore, Indra Joshi, had quit her job as director of the NHS AI lab and joined Palantir. Her Twitter bio states she works for Palantir and adds: “let's get S*** done”.
The Covid-19 datastore remains open today and 75 of its 339 purposes have been created since August last year, according to analysis of information in two DHSC datasets published in response to parliamentary questions by a Labour peer.
The Prime Minister’s Office, the Treasury and the Cabinet Office were also given access to information stored by Palantir, for reasons described only as “data sharing”.
NHS England did not respond to openDemocracy’s questions about what specific data was shared with private companies and Whitehall departments.
Dr Bhatia said NHS patients would not expect their data to be shared after the pandemic: “Patients might have understood that their information was being lawfully siphoned off to Palantir during the pandemic, for Covid-19 purposes.
“There is no reasonable expectation that such data would continue to be held after the pandemic, and continue to be used for purposes related and/or unrelated to Covid-19.”
An NHS spokesperson said: “Data stays under the full control and protection of the NHS at all times and Palantir does not have access to data held within platform instances licensed to NHS England.”
Rosa Curling, a solicitor and director at Foxglove Legal, told openDemocracy that the health service and government had a consent problem: “The government say they plan to use Palantir to revolutionise the handling of patient data – but they’ve not bothered to talk to anyone or get permission for their revolution. That’s a problem. Major changes to how our health data is used must, by law, be subject to explicit consent.”
“Strike analysis”
NHS England created the capacity to analyse the current wave NHS strikes in Palantir’s software but never did so in practice because officials found they could do the work on Excel spreadsheets.
An NHS spokesperson told openDemocracy: “In anticipation of the upcoming industrial action, a secure area called ‘strike analysis’ was initially set up by NHS England in its Foundry platform, but this was not required as the analysis was able to be carried out using existing methods.
“NHS England is not using – and has never used – Foundry to analyse the impact of industrial action, nor is it linking strike data with human resources data.”
A Palantir spokesperson said the company knew nothing about it: “Precisely because it is software, it enables customers – in this case the NHS – to design their own purposes and decide who has access to those purposes. We neither know what this purpose refers to nor have access to it.”
'Dubious' reputation
NHS-funded research has found that Brits would like to see more public oversight of the Covid-19 datastore, and that many don’t trust the companies involved in its operation.
Three in four participants in three studies by the University of Manchester said they wanted either Parliament or an “independent advisory group of experts and lay people” to decide whether to continue to use the Covid-19 datastore after the pandemic was over.
Meanwhile, “the involvement of companies with dubious reputations and potentially problematic political affiliations as well as little transparency about outside companies’ involvement in the initiative”, was the main reason to oppose the Covid-19 datastore, according to one of the studies.
In spite of this, the NHS extended Palantir’s contract to run the datastore by another six months in January this year.
The health service is also moving ahead with a contentious £480m contract to build a “Federated Data Platform” that would centrally collect and analyse all the data currently held by the NHS, including GP and social care records.
Palantir is widely tipped to win the deal and has recently hired lobbyists from firms run by Rishi Sunak’s election guru, Isaac Levido, and New Labour architect, Peter Mandelson.
A Palantir Spokesperson said: “We’re proud that our software supported the distribution of ventilators and the vaccine rollout during Covid and has since helped the NHS to reduce the elective care backlog, cut paperwork for nurses and doctors, and speed up cancer diagnosis – all while rigorously protecting data privacy.
